GDPR in Retail: From Zero to Compliance in One Week

GDPR is a fundamental shift in personal data ownership—and it’s not just Europe. The adoption of similar privacy legislation is growing around the world. A case in point is the recently adopted California Consumer Privacy Act and Brazil’s General Data Privacy Law. Other countries are implementing comparable legislation or updating their privacy laws to mirror GDPR as well.

Although companies have had two years to prepare for GDPR, many remained in the dark about the impact of the new rules on their business until those rules took effect on May 25, 2018. Many chose to take a “wait and see” approach. “It hasn’t been a reality until now,” explained Jerrod Bailey, chief strategy officer for IntraEdge, maker of GDPR Edge, an enterprise compliance solution.

“We have companies that have come to us since the May 25th deadline, and in some cases, they have received 10,000 requests in the first week. These companies were prepared for tens, a dozen, requests. They weren't prepared for 10,000.”

The punitive risks for material noncompliance with the GDPR’s provisions on individual data subject rights can be substantial, with fines up to €20 million or 4 percent of annual global revenue, whichever is higher. Especially in the retail industry, the search is on for a path to meet at least the minimum GDPR regulatory requirements, specifically one that is effective, quick, causes minimum disruption, and can address future changes in both the regulatory and system environments.

Giving Retailers the Edge on Compliance

In response to this need, IntraEdge built GDPR Edge—a unique solution designed specifically to address the requirements of the regulation. The system relies on highly secure blockchain technology to protect data and enable compliance throughout multiple touchpoints, which can be especially important to retailers.

“One of the major areas where retailers are collecting data is at the point-of-sale,” explained Bailey. “A lot of retailers just don't have any compliance solutions for point-of-sale. We have the ability to integrate about 98 percent of the point-of-sales systems out there.”

The company was able to help one online-only retailer automate compliance across all its brands in the EU. In eight weeks, the retailer had three primary and independent systems feeding diverse customer information into a single data lake. As consumers interact with the brand online and make purchases, transactions receive a unique tag, so they can be found easily. The process allows the retailer to demonstrate compliance with critical elements of the GDPR, with a minimal burden on operations and at a fraction of the cost of developing a custom solution.

Sometimes the system can be set up even faster. Some deployments have started processing access requests and deploying workflow management and reporting tools in less than a week and at a service cost of under $1,000 a month.

Centralized Data—Automated Process

At the core of the system are four key elements—a data lake, block chain ledger, customized portals, and APIs, as shown in Figure 1.

Figure 1. The GDPR Edge solution elements.

Data in the lake is protected by a blockchain ledger that maintains a forensically valuable history of system activity. Data from interactions is transferred to the ledger, where information is certified as un-tampered, and then to the data lake where interaction records live. When a consumer request is made, a record is kept of the interaction activity.

The lake plays a key role in compliance because it can be made available to data protection authorities, auditors, and data governance professionals, as well as any other data collector or processor. This results in increased accountability, information transparency, accuracy, efficiency, and ease of audit.

Users of the system can access information in the lake through custom portals. For example, individuals can review their collected personal information, modify it, or request its removal. If individuals make updates to their personal information within the portal, it kicks off a series of automated workflows on the back-end that record those changes and confirms them with the individuals.

Bailey explained: “You go to a portal. You create a login. You validate that you are who you say you are, and then you get access to your data in the data lake. That’s very unique.”

Portals can be configured so administrators and others with compliance responsibilities can see what they need to see in the lake. For example, the CRM system manager could use a custom portal to monitor GDPR activity related to that system. “Through their portal, they'll be able to see all the access requests they need to react to or the requests automated at the back end of the system,” Bailey said.

Auditors and regulators, too, can have a portal into the system. “In the EU, every country has their own privacy authority, so the likelihood of having to show a third party what you're doing is fairly high,” Bailey noted. The portal, though, can limit what they see to just the ledger.

The APIs also connect to consumer touchpoints and retailer services. Touchpoints include point-of-sale interactions, website traffic, and interaction with mobile applications. Retail services include loyalty and customer management programs.

What's more, the APIs are a two-way street. Not only can they be used to ingest data, they can be used to alter it, too. “We can anonymize or delete a record without a human being having to get involved,” Bailey said. “It’s that automation and centralization, those two components together, that make GDPR Edge very unique.”

Streamlined Solution for Complex Environments

Even though the realities and complexities of GDPR are only now hitting home, there are solutions that help streamline the compliance process.

IntraEdge offers a system geared for highly complex retail environments thathave an array of data sources, customer touchpoints, and multiple point-of-sale systems. By leveraging Intel® technology, the company has built a unique solution to a multifaceted problem.

“GDPR is a big challenge, but meaningfully protecting individuals’ privacy rights is an even bigger one,” Bailey said.

About the Author

John Mello is freelance writer and editor specializing in business and technology subjects, including consumer electronics, business computing and cyber security.​ His work has appeared in the Boston Globe, Boston Herald, TechNewsWorld, E-Commerce Times, CSO Online, CIO and CFO magazines. He is also former managing editor of the Boston Business Journal and Boston Phoenix.